Bleichenbacher's CCA2 on RSA

A server is giving feedback it's not supposed to. Can you stage an online attack?



jshmendes

37 solved
March 15, 2016, 11:28 a.m.

Hello There, Is there an optimal choice for the first s ? I have tried random values (but I am sure there is a better choice) for a few hours, with no luck. Any hint ? Thanks

anton

Staff
March 15, 2016, 6:47 p.m.

I started with the value s = ceiling(N / 3B) ( B being defined in the paper as 2^(8 * (k-2)) ). This is the same value as is recommended in Step 2.a of the paper.

ryandiaz6

15 solved
July 14, 2016, 12:13 a.m.

I arrive at a valid solution but it is 14 hex characters, and a bunch of 0's padded on the right. They are not ASCII characters and this doesn't resemble a valid padded message. Any thoughts? I wouldn't think a valid solution would be found by accident.

anton

Staff
July 14, 2016, 5:51 a.m.

That doesn't sound quite right, you can email us with the specifics if you like. Otherwise I'm not sure there's much I can recommend beside double checking you implemented the algorithm, as described in the paper, correctly

ryandiaz6

15 solved
July 14, 2016, 10:59 p.m.

I rewrote basically the exact same algorithm on a python 2.7 machine and got the correct answer. The python 3 version seems to give an incorrect answer. In any case I got it, thanks.

anton

Staff
July 15, 2016, 8:45 p.m.

It may have to do with the fact that python 2 will round down to the nearest integer when you divide two integers. Python 3 will actually give you back a float when you divide two integers (use // in 3 to get the behavior of / in 2). In any case, congrats on solving the problem!